What is SASE? The complete explanation for IT and business leaders

The five core components of SASE, explained in plain language

SASE is not a single product but an architecture that combines five functionalities. Together they form a complete network and security platform delivered from the cloud without hardware at every location.

SD-WAN (Software-Defined Wide Area Network) handles connectivity between sites, data centres and cloud platforms. It replaces static MPLS connections with intelligent routing across multiple connection types, broadband, 4G/5G or MPLS, and automatically picks the best path per application. Result: better performance, lower costs and less dependency on a single carrier.

FWaaS (Firewall-as-a-Service) brings next-generation firewall protection to the cloud. Instead of a physical firewall at every site, FWaaS delivers deep packet inspection, application control and intrusion prevention as a managed service. Updates are automatic, without maintenance windows.

SWG (Secure Web Gateway) protects users when they access the internet. It filters malicious traffic, blocks phishing sites and enforces acceptable-use policy, for employees in the office, at home and on the road. Same protection regardless of location.

CASB (Cloud Access Security Broker) monitors access to cloud applications like Microsoft 365, Salesforce or SharePoint. It enforces data policy, detects unauthorised use of SaaS tools and prevents sensitive company data from flowing into unapproved applications.

ZTNA (Zero Trust Network Access) replaces VPN with identity-driven access on a least-privilege basis. No one, no employee, contractor or device, gets more access than strictly necessary. Access is continuously verified based on identity, device posture and context. More on this component in our article on replacing VPN with ZTNA.

How SASE works: the single-pass principle

What makes SASE fundamentally different from a stack of separate tools is the single-pass principle. In traditional infrastructure, traffic passes through multiple security engines one after the other: first the firewall, then the proxy, then the DLP scanner. Each extra hop adds latency and increases operational complexity.

In a mature SASE platform like Cato Networks, all security engines inspect traffic simultaneously in one pass, from the same cloud infrastructure. Traffic is decrypted once, processed by all engines and re-encrypted. Result: lower latency, better performance and fewer blind spots between tools.

All policies are managed from one console. All telemetry flows into one data layer. That makes troubleshooting faster, audits simpler and security posture more visible for IT teams who already have enough to manage.

SASE vs SSE, when do you choose what?

SSE stands for Security Service Edge and comprises the security layer of SASE: SWG, CASB, ZTNA and FWaaS. The difference with full SASE is the absence of SD-WAN. SSE secures access to the internet and cloud applications but does not transform the WAN itself.

SSE is a logical choice if you already have a working SD-WAN infrastructure you want to keep, or if budget and priorities require a phased approach that starts with the security layer. Full SASE is the right choice when you also want to modernise the network, replace MPLS, simplify sites, improve cloud performance.

The advantage of Cato Networks is that both scenarios are supported from the same platform. You start with SSE and expand to full SASE when the moment is right, without re-architecting and without a new licence structure. A detailed decision guide is in our article SASE vs SSE: when do you choose what.

Why SASE is urgent now: NIS2, hybrid work and shadow AI

SASE was a future vision five years ago. Today, three concrete drivers make the urgency immediate for international organisations.

NIS2 and the Cyber Resilience Act. The Dutch transposition of the European NIS2 Directive, the Cyberbeveiligingswet, is approaching enforcement in Q2 2026. Organisations in logistics, manufacturing, business services and other designated sectors get a duty of care, a reporting obligation and a registration obligation. Directors become personally liable. SASE addresses multiple technical NIS2 obligations at once: demonstrable access control via ZTNA, automated logging and reporting, and 24/7 detection and response. Read more in our article on NIS2 compliance with one platform.

Hybrid work. At more than ninety percent of Dutch employers, hybrid working is the norm. Employees connect from home networks, hotels and coworking spaces to corporate applications. Traditional perimeter-based security, built on the assumption that everyone works in the office, is structurally unsuited to this reality. SASE solves this by taking security with the user, regardless of location or device.

Shadow AI. Employees use public AI tools, ChatGPT, Copilot, Gemini, even without IT approval. Company data ends up in public models. CASB and the Cato AI Security module are designed specifically for this and enforce policy without blocking innovation.

How Cato Networks delivers SASE in practice

Cato Networks has been recognised by Gartner as a Leader in the Magic Quadrant for SASE Platforms 2025, for the second year in a row. The platform is built from the ground up as a single cloud-native architecture, powered by a GPU-based global private backbone with more than 85 PoPs worldwide.

In March 2026, Cato launched a modular adoption model that lets organisations start with the module that is most urgent, AI Security, SD-WAN, SSE or Universal ZTNA, and expand in phases without re-architecting. Each module is a complete enterprise-grade solution in its own right and runs on the same underlying platform.

Momentum EMEA implements and operates the Cato platform as EMEA's leading specialised Cato implementation partner. The unique value is the combination of underlay (carrier-neutral internet connectivity for all your sites) and overlay (Cato SASE), from one contract, one SLA and one team. More about the platform in our article on the Cato Networks platform in detail.